CODEWITHSUNDEEP
phplaravel-5htmlspecialchars
Luna
Luna

Reputation: 557

How to allow & symbol when using htmlspecialchars()

I am using htmlspecialchars() on my site to display status post from users. The status post is being saved to my database and pulled to show in their timeline.

I'm using laravel 5.3

The problem is if someone post something like: Netflix & Chill, this turns into Netflix & Chill

How can i still use htmlspecialchars() so that I can keep my site safe, but still show the proper text instead of turning even & symbol into &

Upvotes: 3

Views: 3816

Answers (2)

toastrackengima
toastrackengima

Reputation: 8732

htmlspecialchars converts a raw ASCII character into it's HTML entity. This means that they will still be rendered correctly on the page (i.e. a < symbol will still appear as < on the page), but will not have any special meaning for HTML.

Thus, in the database, they will appear as entity codes, but when rendered onto the page, users will be able to see them as the initial characters that they typed.

If you need to preserve the characters in the database (I am not sure why you would need to), you could look into replacing them with homoglyphs, as preserving their appearance in the database and the protection of your HTML is not possible if you are simply using htmlspecialchars.

Upvotes: 1

Don&#39;t Panic
Don&#39;t Panic

Reputation: 41810

It should display the proper text.

The most common reason I've seen for what you're describing is double encoding. (Passing the string through htmlspecialchars twice.) For example, with

$str = 'Netflix & Chill';

If you use echo htmlspecialchars($str), you'll see 'Netflix & Chill' in the browser. But if you use echo htmlspecialchars(htmlspecialchars($str)); instead, you'll see the escaped ampersand in the browser. (If you view the page source, it's actually Netflix &amp;amp; Chill.)

You may be inadvertently doing this if you're using a template that escapes the output automatically. I noticed you tagged the question with Laravel, and blade templates do this. See here in the documentation:

Blade {{ }} statements are automatically sent through PHP's htmlspecialchars function to prevent XSS attacks.

If that's what you're using to display your data, you shouldn't use htmlspecialchars before you send the values to the template.

Upvotes: 1

Related Questions